You can find the following general system privileges which are available in the SAP HANA database system.
| System Privilege | Description |
|---|---|
| ADAPTER ADMIN | Controls the execution of the following adapter-related statements: CREATE ADAPTER / DROP ADAPTER and ALTER ADAPTER. It also allows access to the ADAPTERS and ADAPTER_LOCATIONS system views. |
| AGENT ADMIN | Controls the execution of the following agent-related statements: CREATE AGENT / DROP AGENT and ALTER AGENT. It also allows access to the AGENTS and ADAPTER_LOCATIONS system views. |
| ATTACH DEBUGGER | Authorizes debugging across different user sessions. For example userA can grant ATTACH DEBUGGER to userB to allow userB to debug a procedure in userA’s session (userB still needs DEBUG privilege on the procedure however). |
| AUDIT ADMIN | Controls the execution of the following auditing-related statements: CREATE AUDIT POLICY / DROP AUDIT POLICY and ALTER AUDIT POLICY as well as changes to the auditing configuration. It also allows access to the AUDIT_LOG / XSA_AUDIT_LOG and ALL_AUDIT_LOG system views. |
| AUDIT OPERATOR | Authorizes the execution of the following statement: ALTER SYSTEM CLEAR AUDIT LOG. It also allows access to the AUDIT_LOG system view. |
| AUDIT READ | Authorizes read-only access to the rows of the AUDIT_LOG / XSA_AUDIT_LOG and ALL_AUDIT_LOG system views. |
| BACKUP ADMIN | Authorizes BACKUP and RECOVERY statements for defining and initiating backup and recovery procedures. It also authorizes changing system configuration options with respect to backup and recovery. |
| BACKUP OPERATOR | Authorizes the BACKUP statement to initiate a backup. |
| CATALOG READ | Authorizes unfiltered access to the data in the system views that a user has already been granted the SELECT privilege on. Normally the content of these views is filtered based on the privileges of the user. CATALOG READ does not allow a user to view system views on which they have not been granted the SELECT privilege. |
| CERTIFICATE ADMIN | Authorizes the changing of certificates and certificate collections that are stored in the database. |
| CLIENT PARAMETER ADMIN | Authorizes a user to override the value of the CLIENT parameter for a database connection or to overwrite the value of the $$client$$ parameter in an SQL query. |
| CREATE CLIENTSIDE ENCRYPTION KEYPAIR | Authorizes a user to create client-side encryption key pairs. |
| CREATE R SCRIPT | Authorizes the creation of a procedure by using the language R. |
| CREATE REMOTE SOURCE | Authorizes the creation of remote data sources by using the CREATE REMOTE SOURCE statement. |
| CREATE SCENARIO | Controls the creation of calculation scenarios and cubes (calculation database). |
| CREATE SCHEMA | Authorizes the creation of database schemas using the CREATE SCHEMA statement. |
| CREATE STRUCTURED PRIVILEGE | Authorizes the creation of structured (analytic privileges). Only the owner of the privilege can further grant or revoke that privilege to other users or roles. |
| CREDENTIAL ADMIN | Authorizes the use of the statements CREATE CREDENTIAL / ALTER CREDENTIAL and DROP CREDENTIAL. |
| DATA ADMIN | Authorizes reading all data in the system views. It also enables execution of Data Definition Language (DDL) statements in the SAP HANA database. A user with this privilege cannot select or change data in stored tables for which they do not have access privileges but they can drop tables or modify table definitions. |
| DATABASE ADMIN | Authorizes all statements related to tenant databases such as CREATE / DROP / ALTER / RENAME / BACKUP and RECOVERY. |
| DATABASE START | Authorizes a user to start any database in the system and to select from the M_DATABASES view. |
| DATABASE STOP | Authorizes a user to stop any database in the system and to select from the M_DATABASES view. |
| DROP CLIENTSIDE ENCRYPTION KEYPAIR | Authorizes a user to drop other users' client-side encryption key pairs. |
| ENCRYPTION ROOT KEY ADMIN | Authorizes all statements related to management of root keys: Allows access to the system views pertaining to encryption (for example ENCRYPTION_ROOT_KEYS / M_ENCRYPTION_OVERVIEW / M_PERSISTENCE_ENCRYPTION_STATUS / M_PERSISTENCE_ENCRYPTION_KEYS and so on). |
| EXPORT | Authorizes EXPORT to a file on the SAP HANA server. The user must also have the SELECT privilege on the source tables to be exported. |
| EXTENDED STORAGE ADMIN | Authorizes the management of SAP HANA dynamic tiering and the creation of extended storage. |
| IMPORT | Authorizes the import activity in the database using the IMPORT statements. The user must also have the INSERT privilege on the target tables to be imported. |
| INIFILE ADMIN | Authorizes making changes to system settings. |
| LDAP ADMIN | Authorizes the use of the CREATE | ALTER | DROP | VALIDATE LDAP PROVIDER statements. |
| LICENSE ADMIN | Authorizes the use of the SET SYSTEM LICENSE statement to install a new license. |
| LOG ADMIN | Authorizes the use of the ALTER SYSTEM LOGGING [ON | OFF] statements to enable or disable the log flush mechanism. |
| MONITOR ADMIN | Authorizes the use of the ALTER SYSTEM statements for events. |
| OPTIMIZER ADMIN | Authorizes the use of the ALTER SYSTEM statements concerning SQL PLAN CACHE and ALTER SYSTEM UPDATE STATISTICS statements which influence the behavior of the query optimizer. |
| RESOURCE ADMIN | Authorizes statements concerning system resources (for example the ALTER SYSTEM RECLAIM DATAVOLUME and ALTER SYSTEM RESET MONITORING VIEW statements). It also authorizes many of the statements available in the Management Console. |
| ROLE ADMIN | Authorizes the creation and deletion of roles by using the CREATE ROLE and DROP ROLE statements. It also authorizes the granting and revoking of roles by using the GRANT and REVOKE statements. Activated repository roles meaning roles whose creator is the predefined user _SYS_REPO can neither be granted to other roles or users nor dropped directly. Not even users with the ROLE ADMIN privilege can do so. Check the documentation concerning activated objects. |
| SAVEPOINT ADMIN | Authorizes the execution of a savepoint using the ALTER SYSTEM SAVEPOINT statement. |
| SCENARIO ADMIN | Authorizes all calculation scenario-related activities (including creation). |
| SERVICE ADMIN | Authorizes the ALTER SYSTEM [START|CANCEL|RECONFIGURE] statements for administering system services of the database. |
| SESSION ADMIN | Authorizes the ALTER SYSTEM commands concerning sessions to stop or disconnect a user session or to change session variables. |
| SSL ADMIN | Authorizes the use of the SET…PURPOSE SSL statement. It also allows access to the PSES system view. |
| STRUCTUREDPRIVILEGE ADMIN | Authorizes the creation / reactivation and dropping of structured (analytic) privileges. |
| TENANT ADMIN | Authorizes the tenant operations performed by the ALTER SYSTEM [RESUME|SUSPEND] TENANT statements. |
| TABLE ADMIN | Authorizes LOAD / UNLOAD and MERGE of tables and table placement. |
| TRACE ADMIN | Authorizes the use of the ALTER SYSTEM…TRACES statements for operations on database trace files and authorizes changing trace system settings. |
| TRUST ADMIN | Authorizes the use of statements to update the trust store. |
| USER ADMIN | Authorizes the creation and modification of users by using the CREATE | ALTER | DROP USER statements. |
| VERSION ADMIN | Authorizes the use of the ALTER SYSTEM RECLAIM VERSION SPACE statement of the multi-version concurrency control (MVCC) feature. |
| WORKLOAD ADMIN | Authorizes execution of the workload class and mapping statements (for example CREATE | ALTER | DROP WORKLOAD CLASS and CREATE | ALTER | DROP WORKLOAD MAPPING). |
| WORKLOAD ANALYZE ADMIN | Used by the Analyze Workload / Capture Workload and Replay Workload applications when performing workload analysis. |
| WORKLOAD CAPTURE ADMIN | Authorizes access to the monitoring view M_WORKLOAD_CAPTURES to see the current status of capturing and captured workloads as well of execution of actions with the WORKLOAD_CAPTURE procedure. |
| WORKLOAD REPLAY ADMIN | Authorizes access to the monitoring views M_WORKLOAD_REPLAY_PREPROCESSES and M_WORKLOAD_REPLAYS to see current status of preprocessing / preprocessed / replaying and replayed workloads as well as the execution of actions with the WORKLOAD_REPLAY procedure. |
| identifier.identifier | Components of the SAP HANA database can create new system privileges. These privileges use the component-name as the first identifier of the system privilege and the component-privilege-name as the second identifier. |
